CNAME Uncloaking

Bug reports and enhancement requests
Post Reply
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

CNAME Uncloaking

Post by musonius »

Are there any plans to implement CNAME uncloaking like uBlock Origin since version 1.25.0?
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: CNAME Uncloaking

Post by barbaz »

Why?
*Always* check the changelogs BEFORE updating that important software!
-
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: CNAME Uncloaking

Post by musonius »

At the moment, changing the preset for a domain may have effects that are very implicit and often not wanted. For example, by setting a domain to trusted you may implicitely set Eulerian, Criteo and the like to trusted as well. CNAME uncloaking would make that more visible and offer more granular control over what to allow and what not to allow.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: CNAME Uncloaking

Post by barbaz »

musonius wrote: Thu May 28, 2020 9:35 am CNAME uncloaking would make that more visible
Good point, optional CNAME uncloaking would be useful as purely informational for the user, to help user decide what to allow and not. Especially if the Full Domains option gets re-introduced.
musonius wrote: Thu May 28, 2020 9:35 am and offer more granular control over what to allow and what not to allow.
No. NoScript would be worse off if it actually block/allow based on CNAME uncloaking.

uBlock Origin has that feature for user control reason. NoScript's permissions are domain-based already; CNAME uncloaking doesn't provide any additional control or granularity. And the feature in uBlock Origin caused my filters to break the internet. I had to disable it.

The real-world use cases I've seen for this are privacy-related. NoScript is a security tool, not a privacy tool. In terms of security, attackers compromising DNS records use IP addresses, not CNAME's, so this won't help.

Also, in the case of NoScript, this will make it much harder to browse without having CDNs like Akamai, Cloudfront etc. always set to TRUSTED, thereby allowing more content from lots of sources and making some users' browsing less secure.
Last edited by barbaz on Fri May 29, 2020 4:56 pm, edited 1 time in total.
*Always* check the changelogs BEFORE updating that important software!
-
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: CNAME Uncloaking

Post by musonius »

Thanks for your insightful answer!
barbaz wrote: Thu May 28, 2020 3:20 pm Good point, optional CNAME uncloaking would be useful as purely informational for the user, to help user decide what to allow and not. Especially if the Full Domains option gets re-introduced.
I would not activate it as default because it makes things too complicated indeed. I share your experience with uBlock Origin in that regard. But I'd like to have the information and eventually be able to activate blocking domains based on CNAME uncloaking optionally. At least that's what I thought until reading and thinking through your comment.

After thinking through your answer I think you are right. Nevertheless, I'd still prefer to have more information than there is at the moment. To see what is blocked (script, media, frame, ...) certainly has the higher priority, but I'd really be interested in seeing the CNAMEs as well.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
gorhill
Junior Member
Posts: 48
Joined: Sun Mar 30, 2014 12:19 pm

Re: CNAME Uncloaking

Post by gorhill »

barbaz wrote: Thu May 28, 2020 3:20 pmuBlock Origin has that feature for privacy reasons
No, I added this feature in uBO for informed consent and control reason. uBO is not a "privacy tool", this is reductive, uBO is a wide spectrum content blocker which features and especially advanced features has both privacy and security benefits. That someone decides to trust `liberation.fr` does not mean that trust extend to `eulerian.net` -- and this is the sort of advanced control I decided to put in user hands, they get to decide whether they block for privacy, security or whatever else reason they chose.
Last edited by barbaz on Fri May 29, 2020 5:17 pm, edited 1 time in total.
Reason: Remove distracting straw man
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: CNAME Uncloaking

Post by barbaz »

gorhill wrote: Fri May 29, 2020 2:54 pm
barbaz wrote: Thu May 28, 2020 3:20 pmuBlock Origin has that feature for privacy reasons
No, I added this feature in uBO for informed consent and control reason.
Thanks, I edited my post to correct this.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply